Skip to content
.ca
sign in
4 mininfo

Your Security Program Was Built for a Threat Landscape That No Longer Exists

A recent Huntress survey reveals that modern security teams struggle primarily with alert fatigue and a shifting threat landscape rather than budget constraints. Organizations are increasingly vulnerable to identity-based attacks such as business email compromise and session hijacking, necessitating a strategic pivot from traditional endpoint-centric prevention to Identity Threat Detection and Response (ITDR) supported by AI.

Conf:highAnalyzed:2026-04-16reports
Identity ThreatsSOC OperationsAlert FatigueITDRBEC

Source:Huntress

Key Takeaways

  • Most security teams are small, with nearly one in five organizations relying on a single person for cybersecurity.
  • Identity-based attacks (BEC, account takeover, session hijacking) are the top threats organizations feel least prepared to defend against.
  • Alert noise is a critical issue, with nearly two-thirds of teams reporting that at least 25% of their alerts are false positives.
  • AI is increasingly utilized to accelerate analysis, reduce noise, and prevent analyst burnout.
  • Security programs must shift focus from traditional malware prevention to identity threat detection and resilient operations.

Affected Systems

  • Cloud Identities
  • SaaS Applications
  • Authentication Systems

Attack Chain

Threat actors compromise valid user identities and authenticate from suspicious, newly seen data center locations. Once authenticated, they may abuse SaaS permissions and session tokens to maintain access. Defenders detect this activity by monitoring ITDR telemetry for anomalous login locations, new OS/browser combinations, and token theft indicators, subsequently disabling the compromised accounts before further damage occurs.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Huntress ITDR

The article references Huntress ITDR rules for detecting suspicious authentications, token theft, and credential theft based on new locations, OS, and browsers, but does not provide raw detection queries.

Detection Engineering Assessment

EDR Visibility: Low — The attacks focus on cloud identities, session tokens, and SaaS applications, which traditional endpoint EDR solutions typically do not monitor. Network Visibility: Medium — Network logs can capture authentication traffic to cloud providers, but encrypted SaaS traffic limits deep visibility without specific identity provider integrations. Detection Difficulty: Moderate — Detecting identity abuse requires distinguishing between legitimate user behavior and attacker activity using valid credentials, often necessitating behavioral analytics and context such as location and device history.

Required Log Sources

  • Cloud Identity Provider (IdP) Logs
  • SaaS Application Audit Logs
  • Authentication Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Threat actors are utilizing compromised credentials to authenticate from known data center IP ranges or VPNs rather than typical residential or corporate ISPs.Authentication logs, Identity Provider (IdP) logsInitial AccessMedium
Attackers are hijacking active web sessions, resulting in authentication events with mismatched OS or browser user agents compared to the user's historical baseline.SaaS audit logs, IdP logsDefense EvasionLow

Control Gaps

  • Traditional Endpoint Antivirus
  • Malware-centric EDR

Key Behavioral Indicators

  • Logins from suspicious data center locations
  • New OS or browser combinations for a user
  • Simultaneous logins from geographically distant locations

False Positive Assessment

  • High

Recommendations

Immediate Mitigation

  • Audit alert quality to reduce false positives and analyst fatigue.
  • Disable compromised accounts immediately upon detecting suspicious authentication.

Infrastructure Hardening

  • Implement Identity Threat Detection and Response (ITDR) solutions.
  • Gain visibility into session behavior, SaaS permissions, and token usage beyond basic MFA/SSO.

User Protection

  • Enforce Multi-Factor Authentication (MFA) and Single Sign-On (SSO) as baseline protections.

Security Awareness

  • Clarify incident response ownership and roles before an incident occurs.
  • Design systems that account for human error under pressure rather than assuming perfection.

MITRE ATT&CK Mapping

  • T1078 - Valid Accounts
  • T1078.004 - Valid Accounts: Cloud Accounts
  • T1566 - Phishing
  • T1550.004 - Use Alternate Authentication Material: Web Session Cookie

Related